is SPF working as intended?

[Sven L.]

So, what you are saying is that the mail is not really spoofed, but postfix does think so?

And this is working as intended?

In my inbox the messages show as if I sent them from my own domain and exactly this is what worries my customers. They know nothing of plesk or SPF or postfix. They just see spoofed emails in their inbox and want this to stop happening.

 

[IgorG]

I just want to say that it is email from [email protected] and rules from remote domain aexp.com are taken and applied consistently. As result this domain of sender is matched to softfail ~all Confirmation can be easily found in maillog.
If you are not agree - contact Parallels Support Team. They will check it directly on your server.

 

[Sven L.]

IgorG

I appretiate all your help so far, but now you're just washing my questions under the carpet.

I do no longer care if this problem is from SPF, postfix or whatever. IT IS A PROBLEM, period.
I don't really care that the true sender is [email protected] and his ~all SPF resolves correctly

What I do care (and all my customers too) is that in my inbox, the mails show as if my own domain sent them.
In my inbox (roundcube and outlook both show the same) The mails show as FROM: [email protected] TO: [email protected]
This is a HUGE problem in big domains where not everybody knows all employees and they may open a phishing or virus mail thinking it is from a work partner.

My question now is: WHY? and HOW TO PREVENT IT?

 

[IgorG]

My question now is: WHY? and HOW TO PREVENT IT?

1. Because it is spam. Usual spam.
2. You can set up considering of softfail result as reject action in SPF settings. Or just use Greylisting - http://download1.parallels.com/Plesk/PP11/11.5/Doc/en-US/online/plesk-administrator-guide/63249.htm

 

[Sven L.]

no it is not "simple spam" because in the inbox, which is what matters to the customers, it looks like a SPOOFED mail.
as I said before, I don't really care anymore if this is a postfix, SPF or Mickey Mouse problem. I want to know how to solve this.
I'll have to repeat myself as it seems I don't make myself clear enough:
I don't care what the logs say, what I (and my customers) DO care is that in our inboxes we receive emails that show as if they were sent from our own domain.
This is unacceptable because our domains have SPF -all and a SPF antispam hardfail configuration which SHOULD prevent this from happening.

softmail is not an option, as there are too many servers configured with ~all . Been there, done that. And we lost valid mails. also: greylisting is already enabled

Why do we receive emails in our inboxes that show (roundcube, outlook and mail headers) as if they were sent from our own domain? you said it's "simple spam" but that's just not true. "simple spam" doesn't show as if we send it ourselves.

 

[paulieG]

Hi Sven,

I'm afraid Igor is right, this is spam, this is email.

Where the confusion is arising is that the From address of an email is ignored where there is a different Return-Path . So the SPF lookups are made against the Return-Path ([email protected]) not the From address (your local domain).

This is because the Return-Path is supposed to be where the bouncebacks go and so is considered a more reliable source of where the the email is coming from.

If it helps any we are being harassed by the exact same spam emails, and again they are tailored to the recipient domains, even to the extent of the name of the payload virus file.

Igors advice about the softfail is a valid one, and this is probably the reason they are using aexp.com as their Return-Path..

Paul.

 

[Sven L.]

Hi Sven,

I'm afraid Igor is right, this is spam, this is email.

Where the confusion is arising is that the From address of an email is ignored where there is a different Return-Path . So the SPF lookups are made against the Return-Path ([email protected]) not the From address (your local domain).

This is because the Return-Path is supposed to be where the bouncebacks go and so is considered a more reliable source of where the the email is coming from.

If it helps any we are being harassed by the exact same spam emails, and again they are tailored to the recipient domains, even to the extent of the name of the payload virus file.

Igors advice about the softfail is a valid one, and this is probably the reason they are using aexp.com as their Return-Path..

Paul.

the bolded part is the problem.

why does SPF, spamassasin, postfix or WHATEVER relay on a useless and easily fake-able "return-path" instead of the TRUE from:?

this is what I think should be fixed. or at least implemented as an OPTION. spf and everything else should base their system around the true FROM: and not a return-path which can be faked with every single webmail or outlook client

 

[SandorM]

Both can be easily faked, in some cases envelope sender (return-path) is harder.
SPF is about envelope sender. That's how the protocol/RFC was written, Parallels can't change that as he wishes.

Is a very hard task to filter on envelope sender and From differences, do to that a lot of valid/non spam messages have different envelope sender and From address.
The easiest example is mailing lists. Where the envelope sender is for example : [email protected] , while the From address is the email address of the person who sent the mail to the list.

You could try the spamassassin rules mentioned in next thread , but they will hit a lot of false positives :
http://spamassassin.1065346.n5.nabb...o-prevent-fake-local-users-spams-td67505.html